The Safeguard Rule: A New Focus?
The Safeguard rule is designed to protect customer information. For this reason it is important that investment advisers and broker-dealers adopt and properly implement reasonably designed policies and procedures. In the age of cybersecurity, no doubt the rule is key. As August drew to a close, the Commission brought three cases focused on enforcing compliance with the rule. Cetera, discussed below, it representative of the actions filed and settled.
In the Matter of Cetera Advisors Networks, LLC, Adm. Proc. File No. 3-20490 (August 30, 2021) is a proceeding which names the registered investment advisor and broker-dealer, along with four of its affiliates that are wholly owned and controlled subsidiaries as respondents. Those firms are Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC and Cetera Investment Advisers LLC.
The case centers on a failure to properly implement the Safeguard Rule. That Rule has three purposes: 1) To protect the security and confidentiality of client information; 2) to protect customer information against hazards; and 3) to protect against hacks. Over a three-year period, beginning in 2017, about 60 Cetera Entities’ personnel were taken over by unauthorized third parties resulting in the exposure of over four thousand customers. At the time none of the accounts had multi-factor authentication turned on, although firm policy did require it whenever possible. None of the accounts appear to have engaged in unauthorized transactions.
The firm failed to properly implement the Rule. During the period Respondents had in place policies and procedures regarding certain aspects of the Rule, but they were not reasonably designed and properly implemented. The firm also had a number of tools available to it to implement controls that would mitigate higher risks. The Order alleges violations of Advisers Act Section 206(4). In resolving the matter, Respondents undertook remedial acts. They also consented to the entry of cease-and-desist orders based on the Section cited in the Order and the related Rule and to a censure. Respondents wil pay a civil penalty of $300,000. See also In the Matter of Cambridge Investment Research, Adm. Proc. File No. 3-20496 (August 30, 2021)(names the firm and an affiliate as respondents; also based on the Safeguard Rule on similar facts; resolved with a cease-and-desist order to same Section and Rule cited above, a censure, and the payment of a $250,000 penalty); In the Matter of KMS Financial Services, Inc., Adm. Proc. File No. 3-20495 (August 30, 2021)(action naming the firm, a registered investment adviser and broker-dealer as a Respondent; based on similar facts as the cases cited above; resolved with a consent to the entry of a cease-and-desist order based on the same sections and a censure; also a penalty in the amount of $200,000).